b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n             OFFICE OF FOREIGN ASSET CONTROL\n                   COMPLIANCE REVIEW\n\n\n\n                          Report #OIG-06-09\n\n                          December 18, 2006\n\n\n\n\n                          William A. DeSarno\n                          Inspector General\n\n\n Released By:                                  Auditor-in-Charge:\n\n\n\n James W. Hagen                                Charles E. Funderburk, CPA\n Assistant Inspector General for Audits        Senior Auditor\n\x0c                     TABLE OF CONTENTS\n\n\n                                         Page\n\nEXECUTIVE SUMMARY                         1\n\nBACKGROUND                                2\n\nPURPOSE AND OBJECTIVES                    5\n\nSCOPE AND METHODOLOGY                     5\n\nRESULTS                                   6\n\nRECOMMENDATIONS                           8\n\nMANAGEMENT RESPONSE                       10\n\nAPPENDIX A                                12\n\nAPPENDIX B                                16\n\x0c                            EXECUTIVE SUMMARY\n\nThe United States Congress has shown an interest in the status of financial institutions\xe2\x80\x99\ncompliance with the Office of Foreign Asset Control (OFAC) administered laws and\nregulations. Therefore, the National Credit Union Administration (NCUA) Office of\nInspector General (OIG) initiated a review to determine whether NCUA provides\neffective supervision over federally chartered credit unions\xe2\x80\x99 compliance with OFAC\nrequirements.\n\nWe reviewed OFAC program requirements as well as NCUA policies, procedures and\nguidance related to the examination and supervision of credit unions\xe2\x80\x99 compliance with\nthose requirements. In addition, we reviewed the Federal Financial Institutions\nExamination Council (FFIEC) Bank Secrecy Act/Anti-Money Laundering Examination\nManual (BSA/AML Manual) as it relates to OFAC requirements. Finally, we reviewed\nreports of examination and related examination workpapers for a random judgmentally\nselected sample of 12 federally chartered credit unions.\n\nOur efforts to evaluate and verify the examiners\xe2\x80\x99 conclusions were hampered by the lack\nof documentation. We were unable to determine conclusively whether NCUA was\neffectively supervising federal credit unions\xe2\x80\x99 compliance with OFAC regulations. Under\nthe NCUA Risk Focused Examination program, OFAC compliance is not required to be\nreviewed at each examination and NCUA examination workpapers are exception based.\nIf an examiner concludes that an institution is OFAC compliant, there is no requirement\nthat the examiner maintain copies of documentation to support that conclusion. We\nbelieve, however, that this policy makes it difficult to assess the adequacy of\nexaminations and creates inconsistency in how program results are documented.\nGuidelines recently issued by the FFIEC should help ensure the consistency of\nexamination coverage.\n\nEleven of twelve credit unions in our sample were reviewed by NCUA examiners for\nOFAC compliance. However, there was a lack of supporting documentation for some\nOFAC examination procedures performed, and only six of the twelve examinations made\nuse of the NCUA OFAC checklist.\n\nNCUA has issued guidance to both credit unions and examiners which address the\nrequirements for an OFAC compliance program and supervision of that program,\nrespectively. However, in both instances we found the guidance too general, especially\nwith regard to guidelines for examiner review of credit union compliance programs.\n\nThe OIG has made two recommendations that should result in an improved OFAC\ncompliance examination program.\n\n\n\n\n                                             1\n\x0c                                   BACKGROUND\nOFAC Requirements\n\nThe Office of Foreign Assets Control (OFAC) of the U.S. Department of Treasury\nadministers and enforces economic and trade sanctions based on U.S. foreign policy and\nnational security goals against targeted foreign countries, terrorists, international\nnarcotics traffickers, and those engaged in activities related to the proliferation of\nweapons of mass destruction. OFAC acts under Presidential wartime and national\nemergency powers, as well as authority granted by specific legislation, to impose controls\non transactions and freeze foreign assets under U.S. jurisdiction.\n\nOFAC regulations apply to all U.S. persons and entities, including financial institutions.\nFinancial institutions are subject to the prohibitions and reporting required by OFAC\nregulations. However, OFAC has not issued specific regulatory program requirements\nfor compliance. A violation of law occurs only when a financial institution conducts a\ntransaction which has been blocked or rejected, or fails to block or report an illicit\ntransfer. Moreover, while there is no minimum or maximum dollar limit on transactions,\nevery transaction is subject to OFAC sanctions.\n\nOFAC maintains the list of Specially Designated Nationals (SDN), which includes the\nnames of individuals and entities whose transactions are prohibited. The SDN is\nfrequently updated with no predetermined timetable. OFAC urges financial institutions\nto establish compliance programs, including designating an OFAC compliance officer,\nand developing internal audit procedures. OFAC recommends that financial institutions\nconduct in-depth annual audits at least annually. OFAC further states that an adequate\ncompliance program depends in large part on who the financial institution\xe2\x80\x99s customers\nare and what kinds of business the financial institution conducts.\n\nFinancial institutions are required to report, in writing, all blocked and rejected\ntransactions to OFAC within ten days of occurrence. In addition, there is an annual\nfinancial institution reporting requirement of blocked transactions held, as of June 30,\nwhich is due September 30.\n\nFinancial regulatory agencies, including NCUA, are responsible for reviewing financial\ninstitutions under their supervision to determine the adequacy of OFAC compliance\nprograms.\n\nAgency Issued OFAC Compliance Guidance\n\nNCUA has issued guidance on OFAC program compliance through the NCUA\nExaminer\xe2\x80\x99s Guide, NCUA Federal Credit Union (FCU) Handbook, NCUA Letters to\nCredit Unions, and NCUA Regulatory Alerts. (See Appendix A for details).\n\nAppendix 18A of the NCUA Examiner\xe2\x80\x99s Guide sets forth the OFAC compliance\nrequirements that credit unions must adhere to. The Guide provides a brief overview of\n\n\n\n\n                                             2\n\x0cwhat a viable compliance program should cover, including requiring credit unions, when\nthey conduct member/customer identification procedures, to determine whether the\nmember or entity appears on the SDN list. The FCU Handbook generally provides that\ncredit unions must maintain a current list of prohibited individuals and countries; must\ncompare their members, new members and account transactions against the list; must\nblock all accounts and transactions with prohibited entities; and must ensure that a\ndesignated person compares and maintains the current list of prohibited individuals and\nentities with members\xe2\x80\x99 transactions.\n\nNCUA Letter to Credit Unions 05-CU-09, issued June 2005, states that credit unions\nhave both BSA and OFAC responsibilities. While recognizing that BSA and OFAC\nrequirements are separate and distinct, Letter 05-CU-09 emphasizes that both are an\nessential part of an anti-money laundering program. Consequently, the letter directs\ncredit unions to evaluate potential compliance violations under the BSA and OFAC and\ntake appropriate action to reduce any risks detected or address any violations.\n\nLikewise, NCUA has advised its examiners to treat compliance with OFAC requirements\nas related to BSA compliance, such that supervisory examinations by the regulators for\nboth BSA and OFAC programs are connected. In December 2001, NCUA issued Letter\nto Credit Unions 01-CU-25, which stated that, as part of NCUA\xe2\x80\x99s responsibility to ensure\nfederally insured credit unions comply with applicable laws and regulations, NCUA had\ndeveloped an examiner checklist which examiners may use to document their review of a\ncredit union\xe2\x80\x99s OFAC compliance program.\n\nFederal Financial Institutions Examination Council (FFIEC) 1 Bank Secrecy\nAct/Anti-Money Laundering Examination Manual\n\nIn order to codify in one comprehensive document previously issued guidance on the\nBSA and anti-money laundering efforts, the Financial Crimes Enforcement Network\n(FinCen), OFAC, FFIEC members, including NCUA, worked together to develop\nstandards to evaluate BSA and OFAC compliance programs at financial institutions. In\nJune 2005, the FFIEC released its Bank Secrecy Act Anti-Money Laundering Examination\nManual (BSA/AML Manual). Federal agencies, including NCUA, began using the\nManual during the third quarter of 2005. On July 28, 2006, the FFIEC released a revised\nBSA/AML Manual. The Manual was updated to further clarify supervisory expectations\nand incorporate regulatory changes since the manual\xe2\x80\x99s 2005 release. The revisions also\ndrew upon feedback form the banking industry and examination staff.\n\nPortions of the Manual relate specifically to compliance with various OFAC sanctions\nprograms. In addition, working with FFIEC members, OFAC developed a risk matrix\n(see Appendix B to this report) which may be used by financial institutions\xe2\x80\x99 as \xe2\x80\x9cbest\npractices.\xe2\x80\x9d The matrix provides a guide for evaluating a credit union\xe2\x80\x99s risk of\n1\n  FFIEC, established under Title X of the Financial Institutions Regulatory and Interest Rate Control Act of 1978, is a\nformal interagency body empowered to prescribe principles, standards, and report forms for the examination of\nfinancial institutions by federal regulators. The members of FFIEC, in addition to NCUA, are the Office of the\nComptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal\nReserve System, and the Office of Thrift Supervision.\n\n\n\n\n                                                           3\n\x0cencountering accounts or transactions subject to OFAC regulations and for determining\nthe quality of an institution\xe2\x80\x99s compliance program.\n\n\n\n\n                                           4\n\x0c                        PURPOSE AND OBJECTIVES\nThe U.S. Congress has shown an interest in the status of financial institutions\xe2\x80\x99\ncompliance with OFAC foreign sanction requirements. Therefore, the NCUA OIG\ninitiated a review to determine whether NCUA provides effective supervision over\nfederally chartered credit unions\xe2\x80\x99 compliance with OFAC requirements.\n\n                       SCOPE AND METHODOLOGY\n\nWe reviewed OFAC sanction requirements and NCUA policies, procedures and guidance\nrelated to the examination and supervision of credit unions\xe2\x80\x99 compliance with OFAC\nrequirements. In addition, we reviewed the FFIEC BSA/AML Examination Manual as it\nrelates NCUA examiner efforts to supervise OFAC compliance.\n\nWe reviewed reports of examination and related examination workpapers for a random\njudgmentally selected sample of 12 federally chartered credit unions. Our sample\nconsisted of credit unions with headquarters located in New York, New York; Miami,\nFlorida; and Los Angeles, California. In addition, the sample was stratified between\nlarge, medium and small asset sized credit unions. The reviewed examinations had\neffective dates between July 1, 2005 and March 31, 2006.\n\nThis engagement was performed in accordance with Generally Accepted Government\nAuditing Standards.\n\n\n\n\n                                          5\n\x0c                                       RESULTS\n\nNCUA supervision for OFAC compliance\n\nOur efforts to evaluate and verify the examiners\xe2\x80\x99 conclusions were hampered by the lack\nof documentation. We were unable to conclude as to the effectiveness of NCUA\nsupervision over credit union compliance with OFAC regulations. Under the NCUA\nRisk Focused Examination program, review of OFAC compliance is not required as part\nof a credit union examination. If examiners conclude that an institution is OFAC\ncompliant, NCUA does not require that documentation be maintained and available to\nsupport their conclusions. As a result, documentation is often not available to allow an\nexternal reviewer to verify and assess the examiners\xe2\x80\x99 conclusions. NCUA guidelines do\nnot specify the level of testing or the supporting documentation needed to substantiate\nOFAC compliance testing.\n\nNCUA examiners reviewed eleven of twelve credit unions in our sample for OFAC\ncompliance. However, there was a lack of supporting documentation for some\nexamination procedures performed and only six of the twelve examinations made use of\nthe NCUA OFAC checklist. Only one of the eleven credit unions reported an OFAC\nviolation. The credit union reported this violation to OFAC in 2006. In addition, the\nworkpapers for one credit union contained no discussion or reasons why OFAC\nprocedures were not reviewed.\n\nIn our review of the eleven credit unions where we found some evidence of examiner\nreview of OFAC compliance, examiners identified the following findings:\n    \xe2\x80\xa2 No OFAC audit \xe2\x80\x93 3 credit unions\n    \xe2\x80\xa2 Policies need to be updated \xe2\x80\x93 3 credit unions\n    \xe2\x80\xa2 Need independent testing \xe2\x80\x93 2 credit unions\n    \xe2\x80\xa2 Need to test all parties to account/transactions \xe2\x80\x93 2 credit unions\n    \xe2\x80\xa2 Need to test wire transfers, check deposits and internet bill pays \xe2\x80\x93 1 credit union\n    \xe2\x80\xa2 Member accounts not matched timely to SDN list \xe2\x80\x93 2 credit unions\n    \xe2\x80\xa2 Need an OFAC compliance officer \xe2\x80\x93 2 credit unions\n    \xe2\x80\xa2 Need OFAC training for staff \xe2\x80\x93 5 credit unions\n\nExaminers may use the NCUA OFAC checklist to document their review of a credit\nunion\xe2\x80\x99s OFAC compliance program. Agency management cited this check list as a\nsource document in conducting OFAC compliance reviews. Two of the three regional\ndirectors cited the OFAC checklist as the workpaper used to document an OFAC review.\nOne of these regional directors stated that the OFAC checklist is the internal control that\nensures examiners performed appropriate examination procedures. Our review found\nthat only six of the twelve examinations utilized the OFAC checklist. See Appendix A\nfor details of the checklist.\n\nListed below is a summary of the examination procedures performed for the twelve\nfederally insured credit unions in our sample.\n\n\n\n                                             6\n\x0cCompliance Risk Assessment\nAll twelve credit unions were assigned a risk rating for compliance risk (6 rated high, 4\nrated moderate and 2 rated low). However, eight credit unions lacked sufficient\ndocumentation in the scope workbook to support risk associated with OFAC as part of\nthe overall compliance rating. For example, one credit union with a high compliance risk\nrating had workpapers that referred to BSA but did not address OFAC risk or the FFIEC\nOFAC risk factors, other than electronic banking.\n\nExamination Scope\nSeven credit unions lacked sufficient documentation regarding exam procedures\nperformed. For example, the workpapers reviewed for several credit unions simply stated\n\xe2\x80\x9creviewed compliance for OFAC\xe2\x80\x9d with no further explanation. In other reviews the\nexaminer referred to BSA exam procedures without mentioning OFAC.\n\nPolicies and Procedures\nSix credit union examinations lacked sufficient documentation regarding the examiners\nreview of OFAC policy/procedures. In two additional exams, we noted that the\nworkpapers credited the credit union with having policies and procedures. However, our\nreview of those policies and procedures indicated that they were overly general and did\nnot provide details on how often the credit union should perform transaction testing and\non which products.\n\nTransaction Testing\nFive of the twelve exams in our sample lacked sufficient documentation supporting exam\ntransaction procedures performed. Another three exams had limited workpaper\ndiscussion of procedures performed and one exam had no OFAC testing procedures\nperformed by the examiner.\n\nFour credit unions used some form of interdict software for transaction testing. The\nexamination workpapers for seven credit union examinations were silent on the method\nused by the credit unions for transaction testing. Without the use of some form of\ninterdiction software, credit unions would have had to perform manual transaction\ntesting.\n\nCompliance Conclusion\nOur efforts to evaluate and verify the examiners\xe2\x80\x99 conclusions regarding OFAC\ncompliance were hampered by the overall lack of documentation. If examiners conclude\nthat an institution is OFAC compliant, NCUA does not require the examiner to maintain\ndocumentation to support their conclusions. As a result, documentation is often not\navailable to allow an external reviewer to verify and assess the examiners\xe2\x80\x99 conclusions.\nNCUA guidelines do not specify the level of testing or the supporting documentation\nneeded to substantiate OFAC compliance results.\n\nWe found that five exams (four with a high and one with a moderate compliance risk\nrating) lacked a specific conclusion regarding OFAC compliance. In addition, four\n\n\n\n\n                                            7\n\x0cexams lacked sufficient exam documentation to support the OFAC compliance\nconclusion. For example, one examiner concluded that there were no significant\nweaknesses in the OFAC compliance program. However, there was a lack of supporting\ndocumentation for the assessment of OFAC risk, exam scope, policies and procedures\nreview and transaction testing was limited to BSA transactions.\n\nRecommendation 1\nNCUA should ensure that whenever examiners conduct an OFAC review, the\nexamination workpapers should contain sufficient documentation to support the OFAC\nrisk assessment and when applicable:\n    \xe2\x80\xa2 The related OFAC examination scope;\n    \xe2\x80\xa2 Policies and Procedures review;\n    \xe2\x80\xa2 Transaction testing review; and\n    \xe2\x80\xa2 An overall OFAC compliance conclusion\n\nManagement Response\nAgree, NCUA management agrees with the need for sufficient documentation to support\na review of OFAC requirements if the risk profile warrants such a review.\n\nOIG Response\nConcur with agency response.\n\nOFAC Guidance\n\n NCUA has issued guidance to both credit unions and examiners which address the\nrequirements for an OFAC compliance program. However, in both instances the\nguidance is too general and does not provide specific guidelines, especially for\nexaminers. NCUA OFAC guidance is frequently included as part of more specific BSA\nguidance, although OFAC and BSA regulations and examination compliance are distinct\nin many ways. For example, the NCUA Examiner\xe2\x80\x99s Guide discusses OFAC examination\nprocedures under the Guide section for BSA. The Guide provides a general discussion of\nOFAC requirements and only limited discussion of specific examination procedures for\nan OFAC review. NCUA guidance does not provide specific guidance on how to assess\nOFAC compliance risk; how that risk impacts upon examination scope and procedures;\nor the depth of review required.\n\nWe noted six examinations where BSA and OFAC discussions were commingled. This\nmade it unclear whether the examination procedures were related to BSA or OFAC\ncompliance.\n\nIn June 2005, FFIEC first released the BSA/AML Manual. An updated manual was\nreleased in June 2006. The manual includes core procedures for examiners to use to\ndetermine whether financial institutions are in compliance with OFAC sanctions\nprograms.\n\n\n\n\n                                           8\n\x0cAccording to the BSA/AML Manual, financial institutions should use a risk based\napproach when considering the likelihood of encountering possible OFAC violations.\nThe manual recognizes that a fundamental element of sound OFAC compliance is an\ninstitution\xe2\x80\x99s assessment of its product lines, customer base, geographic location, the\nnature of its transactions, and the identification of high-risk areas for OFAC transactions.\n\n\nRecommendation 2\nNCUA should ensure that examiners use the applicable policies and procedures in the\nFFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual as well as the\nNCUA Examiner\xe2\x80\x99s Guide and policy directives when examining credit unions for OFAC\ncompliance.\n\nManagement Response\nAgree, NCUA management agrees with using applicable policies and procedures in the\nFFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual as well as the\nNCUA Examiner\xe2\x80\x99s Guide and policy directives when examining credit unions for OFAC\ncompliance.\n\nOIG Response\nConcur with agency response.\n\n\n\n\n                                             9\n\x0c                         MANAGEMENT RESPONSE\n\n\n                                                                           EI/MJB:mjb\n\nSent via E-Mail\n\n\nTO:            William DeSarno, Inspector General\n               Office of Inspector General\n\nFROM:          Director David M. Marquis\n               Office of Examination and Insurance\n\nSUBJECT:       Comments on Office of Foreign Asset Control Compliance Review Report\n\nDATE:          December 14, 2006\n\nThis memorandum responds to your request for comments on the report titled, Office of\nForeign Asset Control Compliance Review (IG Audit Report #OIG-06-09). My office\nappreciates the opportunity to comment on the report and we agree with the two\nrecommendations contained in it. As you appropriately pointed out in the report, our\nexaminers have been assessing compliance with OFAC requirements as directed under\nour current risk-based examination program. In order to provide the additional\ndocumentation cited in your report, we will need to evaluate amending our examination\nprocess as it relates to OFAC compliance.\n\nWe offer the following comments regarding the specific recommendations contained in\nthe report:\n\nOIG Report Recommendation #1\nNCUA should ensure that whenever examiners conduct an OFAC review, the\nexamination workpapers should contain sufficient documentation to support the OFAC\nrisk assessment and when applicable:\n    \xe2\x80\xa2 The related OFAC examination scope;\n    \xe2\x80\xa2 Policies and Procedures review;\n    \xe2\x80\xa2 Transaction testing review; and\n    \xe2\x80\xa2 An overall OFAC compliance conclusion.\n\nOffice of Examination & Insurance Response:\nMy office agrees with the need for sufficient documentation to support a review of OFAC\nrequirements if the risk profile warrants such a review. At this time, however, we do not\nrequire credit unions to perform an OFAC risk assessment, nor do we require our\nexaminers to perform one if a credit union has not completed one. That being said,\nbecause we expect credit unions to develop risk-based OFAC procedures commensurate\nwith their risk profiles, a review of a risk assessment should be sufficiently documented.\n\n\n\n                                           10\n\x0cI understand the other federal banking agencies are also evaluating OFAC compliance\nguidance and believe it is appropriate to confer with them on this issue to ensure\nconsistency among the regulators.\n\nOIG Report Recommendation #2\nNCUA should ensure that examiners use the applicable policies and procedures in the\nFFIEC Bank Secrecy Act/Anti-Money Laundering Examination Manual as well as the\nNCUA Examiner\xe2\x80\x99s Guide and policy directives when examining credit unions for OFAC\ncompliance.\n\nOffice of Examination & Insurance Response:\nWe agree with using applicable policies and procedures in the FFIEC Bank Secrecy\nAct/Anti-Money Laundering Examination Manual as well as the NCUA Examiner\xe2\x80\x99s\nGuide and policy directives when examining credit unions for OFAC compliance. As we\nmove forward with developing additional guidance with OFAC compliance, including a\nnational Instruction, we will strive to maintain consistency with other federal banking\nregulators.\n\nAgain, thank you for the opportunity to comment on this report. If you have any\nquestions, please do not hesitate to contact my office.\n\ncc: Office of the Executive Director\n\n\n             s:\\stafffolders\\mjb\\ofac\\igmemo-responsetoofacauditreport.doc\n\n\n\n\n                                          11\n\x0c                                APPENDIX A\n                NCUA Issued OFAC Compliance Guidance,\n               Letters to Credit Unions, and Regulatory Alerts\n\nAgency Issued OFAC Compliance Guidance\n\nNCUA has issued OFAC compliance program guidance in the NCUA Examiner\xe2\x80\x99s Guide,\nNCUA FCU Handbook, NCUA Letters to Credit Unions and NCUA Regulatory Alerts.\n\n              NCUA Examiner\xe2\x80\x99s Guide, Bank Secrecy Act, Appendix 18A\n\nOFAC examination procedures are discussed as part of the section on the BSA in\nAppendix 18A of the NCUA Examiner\xe2\x80\x99s Guide. The portion on OFAC states that\nNCUA is responsible for determining that credit unions comply with OFAC regulations.\nOne of the listed examination objectives is to ensure the credit union has adequate BSA\npolicies, procedures, and controls for each of the following:\n    \xe2\x80\xa2 Verifying member identity;\n    \xe2\x80\xa2 Identifying reportable transactions;\n    \xe2\x80\xa2 Maintaining proper documentation;\n    \xe2\x80\xa2 Blocking and reporting transactions required by OFAC; and\n    \xe2\x80\xa2 Complying with the U.S.A. Patriot Act\n\nOne of the objectives of a member due diligence program is listed as, \xe2\x80\x9cenforcing OFAC\nand Patriot Act regulations and enhancing national security\xe2\x80\x9d. The credit union\xe2\x80\x99s due\ndiligence policy should reflect the;\n    \xe2\x80\xa2 Size and complexity of the credit union;\n    \xe2\x80\xa2 Nature and extent of services offered;\n    \xe2\x80\xa2 Level of risk; and\n    \xe2\x80\xa2 Documentation requirements\n\nNCUA Rules and Regulations, Part 748 requires credit unions to have a Bank Secrecy\nAct compliance program and procedures. Although NCUA\xe2\x80\x99s regulations do not\nspecifically require that credit unions institute an OFAC compliance program, the agency\nhas advised (see Examiner\xe2\x80\x99s Guide, Appendix 18A) that credit unions may include\nOFAC policies within their existing BSA compliance policy.\n\nIn particular, NCUA has advised that a part of any credit union\xe2\x80\x99s OFAC compliance\nprogram must include conducting member identification procedures. That is, a specially\ndesignated person within the credit union should determine whether any individual or\nentity member appears on the SDN list, as provided and regularly updated by OFAC.\nCredit unions must frequently update their own SDN lists in response to any OFAC-\ngenerated updates. Moreover, credit unions must check the names of all parties to a\ntransaction (i.e. beneficiaries, collateral owners, cosigners/guarantors, receiving/sending\nparties) against the SDN list. The credit union must review for compliance all types of\nmember transactions, including:\n\n\n\n                                            12\n\x0c\xe2\x80\xa2   Share accounts\n\xe2\x80\xa2   Loans and loan payments\n\xe2\x80\xa2   Credit cards\n\xe2\x80\xa2   Letters of credit\n\xe2\x80\xa2   Lines of credit\n\xe2\x80\xa2   Safety deposit boxes\n\xe2\x80\xa2   Wire and ACH transfers\n\xe2\x80\xa2   Currency exchanges\n\xe2\x80\xa2   Depositing and cashing checks\n\xe2\x80\xa2   Money orders or traveler\xe2\x80\x99s checks\n\xe2\x80\xa2   Trust accounts\n\nLarger credit unions may have special software which can interdict prohibited\ntransactions.\n\nCredit unions must report to OFAC all blocked and rejected transactions within ten days\nfrom occurrence. Credit unions must also file a comprehensive report of blocked\nproperty held as of June 30, by September 30 of each year.\n\nOFAC requires credit unions to retain all reports of blockings or rejections and related\nrecords for five years.\n\n                                 NCUA FCU Handbook\n\nThe FCU handbook states that credit unions must understand the various laws,\nregulations and penalties for OFAC non-compliance. The handbooks states that credit\nunions must: (1) establish effective OFAC policies and procedures; (2) maintain a\ncurrent list of prohibited individuals and countries; (3) compare their members, new\nmembers and account transactions against the list, blocking all accounts and transactions\nwith prohibited entities; and (4) ensure that a designated person within the credit union\ncompares and maintains the current list of prohibited individuals and entities with\nmembers\xe2\x80\x99 transactions.\n\n                             NCUA Letters to Credit Unions\n\nNCUA Letter to Credit Unions 05-CU-09, issued June 2005, states that a review of BSA\ncompliance is required as part of NCUA\xe2\x80\x99s risk focused examination program. In that\nletter, NCUA acknowledged that while both BSA and OFAC compliance are integral to\nany anti-money laundering program, they arise from distinct laws with different\nrequirements. Consequently, while they are different, some requirements for successful\ncompliance are the same. Accordingly, credit unions must develop policies to evaluate\npotential compliance risk under both BSA and OFAC requirements and take appropriate\naction to reduce such risks.\n\nNCUA Letter to Credit Unions 01-CU-25, issued December 2001, states as part of\nNCUA\xe2\x80\x99s responsibility to ensure that federally insured credit unions comply with\n\n\n\n                                            13\n\x0capplicable laws and regulations, NCUA developed an examiner checklist that examiners\nmay use to document their review of a credit union\xe2\x80\x99s OFAC compliance program. The\nchecklist contains an introduction and purpose; applicability; penalties; record retention\nrequirements and includes the following questions:\n   1. Does the credit union have policies and procedures for complying with OFAC\n       regulations and the various laws OFAC is responsible for administering?\n   2. Has the credit union designated a person to be responsible for overseeing\n       compliance with the OFAC regulations and any blocked funds?\n   3. Does the credit union have a current listing of prohibited countries, organizations\n       and individuals?\n   4. Does the credit union have a person who is responsible for maintaining a current\n       list of prohibited countries, organizations and individuals?\n   5. Does the credit union compare new accounts with the OFAC prohibited listing?\n   6. Does the credit union regularly compare established accounts and member\n       transactions with the prohibited OFAC listing?\n   7. Does the credit union block or freeze the accounts and transactions found to\n       match the prohibited OFAC listing?\n   8. Did the credit union report the blocked or rejected accounts to OFAC within 10\n       days?\n   9. Did the credit union submit an annual report of the blocked property by\n       September 30?\n   10. Does the credit union have an OFAC compliance audit at least annually?\n\nNCUA/OFAC Memorandum of Understanding\n\nNCUA, along with the other federal financial institution regulators signed a\nmemorandum of understanding (MOU) with OFAC on April 12, 2006. The MOU\nprovided for information sharing among the signatories pertaining to OFAC compliance\nprogram violations. Under the MOU, the banking agency signatories to the MOU will\nprovide to OFAC:\n\n   \xe2\x80\xa2   Information gathered during the course of an examination if such information\n       appears to relate to an unreported sanctions violation;\n   \xe2\x80\xa2   Information pertaining to significant deficiencies in a banking organization\xe2\x80\x99s\n       policies, procedures, and processes for ensuring compliance with OFAC\n       regulations; and\n   \xe2\x80\xa2   Information responding to OFAC requests related to examination or supervisory\n       findings regarding a banking organization\xe2\x80\x99s policies, procedures, and processes\n       for ensuring compliance with OFAC regulations.\n\nOFAC, in return will share with the signatories to the MOU:\n\n   \xe2\x80\xa2   Reports of apparent sanctions violations, including any relevant correspondence\n       between OFAC and the subject of the financial institution and status of any\n       enforcement action;\n   \xe2\x80\xa2   Notice prior to an on-site investigation or audit of a banking organization;\n\n\n\n                                            14\n\x0c   \xe2\x80\xa2   The results of on-site investigations or audits of a banking organization; and\n   \xe2\x80\xa2   Evaluations of apparent violations by a banking organization, including whether\n       OFAC has decided to issue a pre-penalty notice or a penalty notice, or to close its\n       investigation.\n\nBecause the federal banking agencies and OFAC are now sharing information about any\npotential sanctions violations, individual financial institutions are expected to report all\npotential violations to OFAC or be prepared to explain to all of the financial regulators\nwhy such reports were not filed.\n\n\n\n\n                                             15\n\x0c                               APPENDIX B\n               Federal Financial institutions Examination Council\n                   (FFIEC) BSA/AML Examination Manual\n\n\nEnforcement procedures recognize that each financial institution is subject to supervision\nand examination by a federal financial institution regulator, which is in turn a member of\nthe FFIEC. Below are OFAC related excerpts from the FFIEC BSA/AML examination\nmanual:\n\nOFAC Risk Assessment:\n\n       Risk matrix (high, moderate, low) for examiner OFAC Procedures\n          \xe2\x80\xa2 Customer base\n          \xe2\x80\xa2 High risk customers\n          \xe2\x80\xa2 Overseas branches\n          \xe2\x80\xa2 Electronic banking\n          \xe2\x80\xa2 Number of fund transfers and international transfers\n          \xe2\x80\xa2 Other types of international transactions\n          \xe2\x80\xa2 History of OFAC actions\n       Other factors to consider\n          \xe2\x80\xa2 Management risk assessment\n          \xe2\x80\xa2 Board approved policies/procedures consistent with risk profile\n          \xe2\x80\xa2 Strong Quality controls\n          \xe2\x80\xa2 Compliance incorporated into all products and organization areas\n          \xe2\x80\xa2 Policies on screening new accounts and transactions\n\nCore Examination Procedures:\n\nThe objective is to assess the institution\xe2\x80\x99s risk-based OFAC program and to evaluate\nwhether it is appropriate for the institution\xe2\x80\x99s risk, taking into consideration its products,\nservices, customers, transactions, and geographic locations. Procedures \xe2\x80\x93\n    1. Determine whether the Board of Directors and senior management have\n       developed policies, procedures, and processes based on their risk assessment to\n       ensure compliance with OFAC.\n    2. Regarding the risk assessment review the institution\xe2\x80\x99s OFAC program,\n       considering the following:\n       \xe2\x80\xa2 The extent of and method for conducting OFAC searches of each relevant\n            department/business;\n       \xe2\x80\xa2 The extent of and method for conducting OFAC searches of account parties\n            other than accountholders;\n       \xe2\x80\xa2 How OFAC responsibility is assigned;\n       \xe2\x80\xa2 Timeliness of obtaining and updating OFAC lists or filtering criteria;\n\n\n\n                                              16\n\x0c   \xe2\x80\xa2   appropriateness of filtering criteria used to reasonably identify OFAC\n       matches;\n   \xe2\x80\xa2   The process used to investigate potential matches;\n   \xe2\x80\xa2   The process used to block or reject transactions;\n   \xe2\x80\xa2   The process used to inform management of blocked/rejected transactions;\n   \xe2\x80\xa2   The adequacy and timeliness of reports to OFAC;\n   \xe2\x80\xa2   The process to manage blocked accounts;\n   \xe2\x80\xa2   The record retention requirements\n\n3. Determine the adequacy of independent testing (audit) and follow-up procedures\n4. Review the adequacy of the institution\xe2\x80\x99s OFAC training program\n5. Determine whether the institution has adequately addressed weaknesses or\n   deficiencies identified by OFAC, auditors or regulators.\n6. Transaction Testing \xe2\x80\x93 on the basis of institution\xe2\x80\x99s risk assessment, prior exam\n   reports and review of audit findings test the adequacy of the OFAC program by\n   reviewing samples to test the credit unions OFAC program for adequacy as\n   follows:\n\xe2\x80\xa2 Sample new accounts and evaluate filtering process used and documentation\n   maintained evidencing searches.\n\xe2\x80\xa2 Sample appropriate transactions that may not be related to an account (e.g. fund\n   transfers, check cashing) and evaluate filtering criteria used, timing of search and\n   documentation maintained evidencing searches.\n\xe2\x80\xa2 If the credit union uses an automated search system to conduct searches, assess\n   the timing of when updates are made to the system and when the most recent\n   OFAC changes were made to the system.\n\xe2\x80\xa2 Evaluate whether all the institutions data bases are run against the system and\n   frequency of searches\n\xe2\x80\xa2 If an automated system is not used, evaluate the process used to check existing\n   customer base against the OFAC list and frequency of such checks\n\xe2\x80\xa2 Review a sample of potential OFAC matches and evaluate resolution process and\n   blocking/rejection process; review sample of reports to OFAC for completeness\n   and timeliness; if the institution is required to maintain blocked accounts.\n\xe2\x80\xa2 Evaluate a sample that adequate records are maintained, institution pays\n   commercially reasonable rate of interest and is accurately reporting such accounts\n   annually at September 30 and test account blocking controls.\n\n7. Identify any potential matches not reported to OFAC, discuss with credit union\n    management, advise management to immediately report to OFAC and notify\n    NCUA management.\n8. Determine the origin of deficiencies and conclude on the adequacy of the credit\n    unions OFAC program.\n9. Discuss OFAC related examination findings with credit union management.\n10. Include OFAC conclusions within the report of examination, as appropriate.\n\n   Other examination factors\n      \xe2\x80\xa2 Compliance program staffing levels adequate\n\n\n\n                                        17\n\x0c\xe2\x80\xa2   Qualified OFAC officer and clearly defined authority and accountability\n\xe2\x80\xa2   Appropriate training based upon risk profile\n\xe2\x80\xa2   Effectiveness of compliance systems and controls\n\xe2\x80\xa2   Effectiveness of independent testing of systems, training and use\n\xe2\x80\xa2   Problems and potential problems identified and resolved\n\xe2\x80\xa2   Compliance systems and controls adaptability to OFAC SDN updates\n\n\n\n\n                                18\n\x0c'